Researchers know how to manipulate smart traffic lights
Two security researchers from the Netherlands have managed to mislead smart traffic lights (iVRIs). They could get a traffic light for a cyclist on green from a distance, while nobody came at all. The system could not be manipulated in such a way that two traffic flows were given the green light at the same time, but traffic disruption, for example, is certainly possible, warn Wesley Neelen and Rik van Duijn.
The two security researchers at Zolder gave a presentation about this at the conference Def Con. A smart traffic light knows when, for example, cars, cyclists or buses are arriving through online communication. This ensures, for example, that a cyclist or other road user does not have to wait as long until a green light or even stops at all. This can, among other things, improve flow. More than a thousand intersections in the Netherlands will be equipped with such iVRIs.
Neelen and Van Duijn used the apps cyclists can install to get green light faster. Via the app, the location of the cyclist is communicated to the traffic light installation, so that the cyclist has green more quickly or directly at a crossroads. But this turned out to be quite easy to manipulate by the two. They could even send unlimited cyclists towards a traffic light, while there was no checking whether someone was actually approaching.
The researchers' work aims to highlight the importance of good and safe systems and apps, as smart traffic lights will increasingly appear on the streets. There are already more than 500 iVRI installations in various cities in the Netherlands.
They therefore end with three recommendations. For example, an authentication must take place that only one cyclist is arriving. Secondly, potential back-up should be monitored in the backend. For example, strange or striking patterns can be searched for. When the abuse is discovered, the two advise to block the user.
Incidentally, no indications have yet been found that it was also possible to imitate other road users. Van Duijn and Neelen further shared their findings with the sector. In a response, the Talking Traffic partnership emphasizes that the hacked apps and VRI installations do not fall under the hundreds of smart traffic lights under the responsibility of Talking Traffic. So, they weren't hacked either. It concerns two apps and traffic lights that fall outside this data chain and do not contain such control functions and prevention measures.
Moreover, there is now good contact between the hackers, the suppliers, the municipalities and the Ministry of Infrastructure and Water Management. “This hack underlines the need for cooperation between governments and industry to make good agreements about information security, to monitor and further develop it. That has and keeps our attention”, said Talking Traffic in a response.
View their presentation here
Originally published in Dutch on 6 August 2020 at Verkeersnet.nl